This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cyber Insecurity: When Contractors Are Weak Link

Government and defense contractors play a crucial role in protecting sensitive information. But the evidence suggests they are losing the battle.

In the best of times, the federal government and private-sector companies work in a delicate synergy to make the products and services required to sustain government operations, develop advanced systems, and enhance systems currently in use. The government also looks to the private sector to support military dominance on the battlefield and protect closely held information. But that arrangement can lead to serious risks when contractors fail to protect their operations adequately from cyber-attacks.

Many of the contractors working with government handle terabytes of data peppered with personally identifiable information, including medical data covered under Health Insurance Portability and Accountability Act (HIPAA) provisions, as well as financial information related to civilian and military personnel. The prevalence and scope of cyber-attacks on this information via contractors is significant, as is the potential danger.

US-CERT reports the number of incidents reported by federal agencies in 2012 was 48,562, up more than 700 percent since 2006. In general, within government, we simply cannot wrap our minds around this problem because it is both very large and highly pervasive.

What’s troubling is that in a number of cases, these companies have had prior indications, warnings and even outright formal notices before or immediately after these attacks, leaving little to the imagination regarding what happened. All that is left afterwards is to assess the damage, build the wall higher, and find innovative ways to track down and neutralize the culprits’ abilities to gain access and “exfiltrate” data.

For three years, one defense contractor was compromised by an advanced persistent threat attack. As InformationWeek reported, investigators hired by the contractor company said that despite ongoing warnings from numerous organizations, including NASA and the Naval Criminal Investigative Unit, the contractor's networks had been compromised. They also found that company officials failed to realize that attackers were maintaining a persistent presence in their network and react accordingly.

The attackers allegedly captured cutting-edge US military drone and robot weapons-systems design and technical specifications and brought competing products to market, according to a subsequent report from Bloomberg. The report cited several firms hired by the defense contractor to investigate apparent intrusions. Investigators told Bloomberg that the ongoing attacks were launched by the Shanghai-based Comment Crew.

Determined adversaries Earlier this year, security firm Mandiant reported targeted attacks had compromised 141 businesses, none of which it named, across 20 industries. According to Mandiant, the attackers weren't just supported by China, but were actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit. Chinese officials have denied these allegations.

The threats had reached the point that the Pentagon, in its annual report to Congress, accused the Chinese military of mounting cyber-attacks on the US government and various defense contractors. It marked the first time that the Obama administration has explicitly blamed Chinese officials for the country's offensive cyber-activities, according to a May 7, 2013, report in Foreign Policy. The report, which called the cyber-attacks a "serious concern," said that US government computer systems "continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military."

China's primary objective appears to be the theft of industrial technology, but according to the report the information gathered by Chinese hackers could easily be used for "building a picture of U.S. network defense networks, logistics, and related military capabilities that could be exploited during a crisis." The diplomatic, economic, and defense industrial sectors that form the basis of US defense programs are all being targeted, the report said. China rejected the accusations saying that it "resolutely oppose[s] all forms of hacker attacks."

But a 2012 Defense Security Service report found that many of these computer network exploitations (CNE to cyber-professionals), were targeting critical systems, including unmanned vehicles (air and ground); networks and sensors; command, control, communications, and computers (C4I) systems; aircraft systems; ground combat systems; and nanotechnology.

Also of concern were the methods used by adversaries, including encryption of data and masking of data to get around both the built-in security systems and to limit the ability of investigators to track down the specific attacker.

Inadequate reporting Defense contractors are given guidelines that clearly lay out the rules, policies, and procedures for reporting suspicious network contacts. However, many such reports contain too little information to classify the nature of the attack and the targeted technology of such attacks appropriately.

Given the lack of full and complete information in the reporting provided by the contractor community, we in the military do our best to figure out exactly who is coming after critical program information and how successful those adversaries are in capturing targeted research, design, and technical information, as well as associated documents, such as training, security classification guides, operating manuals, and other information.

What should the government, and more specifically the Department of Defense, do in response to the growing threat and perceived lack of serious efforts to curb the intrusions?

Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

The Snowden incident is one dimension of the problem. Yes, agencies can increase measures to guard against the theft / loss of information. The NSA, for instance, is now requiring that two individuals be present during the transfer of any classified information. But it's much harder to control, discipline or simply fire a long standing but careless contractors whose systems are often grafted into an agency's systems.

It seems hard to imagine the government couldn't do more, as yoiu put it, to hold contractor companies accountable for inadequate safeguards and lack of security measures to protect critical program information, sensitive information, and even classified information.

I wonder about the wisdom of spreading records around so many contractors when top-notch security expertise is so expensive and scarce. Sure, putting assets with a few large suppliers makes for more tempting targets, larger firms can in theory afford and deploy cutting-edge security.

I'd be curious to know whether these same patterns occur in the Canada, the U.K., or other NATO allies. Is their distribution of labor between contractors and government employees similar or vastly different? Much better managed or about the same?

U.S. government systems can't be the only ones that are under attack, although the U.S. is obviously a big target.

This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!